From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [RFC PATCH 1/8] unbound: Add switch to enable Google Safe Search Date: Mon, 13 May 2019 16:47:54 +0100 Message-ID: <14FC89AA-5679-4DF9-A091-7E6CB643AA93@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3898746108213220855==" List-Id: --===============3898746108213220855== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, There is no rewrite happening on google.com, only www.google.com. The output looks fine. I have decided to merge this patchset and we will ship it, but there is no wa= y for users to activate it yet apart from manually editing the configuration = file. There must be some UI element later. That gives us some extra time to test it. Can you apply the latest configuration and initscript from next and run tests= again? -Michael > On 3 May 2019, at 12:21, Matthias Fischer w= rote: >=20 > On 03.05.2019 10:54, Michael Tremer wrote: >> Hi, >=20 > Hi, >=20 >> What happens when you run =E2=80=9Cdig google.com=E2=80=9D on the console? >=20 > In browser, https://www.google.de/ gives me: >=20 > "Hmm. We=E2=80=99re having trouble finding that site." >=20 > 'dig' results: >=20 > ***SNIP*** > root(a)ipfire: /etc/init.d # dig google.com >=20 > ; <<>> DiG 9.11.6-P1 <<>> google.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25720 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;google.com. IN A >=20 > ;; ANSWER SECTION: > google.com. 108 IN A 216.58.205.238 >=20 > ;; Query time: 418 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri May 03 13:09:28 CEST 2019 > ;; MSG SIZE rcvd: 55 > ***SNAP*** >=20 > ***SNIP*** > root(a)ipfire: /etc/unbound # dig bing.com >=20 > ; <<>> DiG 9.11.6-P1 <<>> bing.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45651 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;bing.com. IN A >=20 > ;; ANSWER SECTION: > bing.com. 191 IN A 13.107.21.200 > bing.com. 191 IN A 204.79.197.200 >=20 > ;; Query time: 158 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri May 03 13:12:11 CEST 2019 > ;; MSG SIZE rcvd: 69 > ***SNAP*** >=20 > ***SNIP*** > root(a)ipfire: /etc/unbound # dig duckduckgo.com >=20 > ; <<>> DiG 9.11.6-P1 <<>> duckduckgo.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;duckduckgo.com. IN A >=20 > ;; ANSWER SECTION: > duckduckgo.com. 3600 IN CNAME safe.duckduckgo.com. >=20 > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri May 03 13:13:15 CEST 2019 > ;; MSG SIZE rcvd: 62 > ***SNAP*** >=20 > ***SNIP*** > root(a)ipfire: /etc/unbound # dig yandex.ru >=20 > ; <<>> DiG 9.11.6-P1 <<>> yandex.ru > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43047 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;yandex.ru. IN A >=20 > ;; ANSWER SECTION: > yandex.ru. 3600 IN A 213.180.193.56 >=20 > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri May 03 13:14:02 CEST 2019 > ;; MSG SIZE rcvd: 54***SNAP*** >=20 > The only site I can open in browser after restarting 'unbound' with > "ENABLE_SAFE_SEARCH=3Don" is 'yandex.ru'. All others respond with "Server > not found". >=20 > HTH, > Matthias >=20 >> The zones should be transparent and resolve any names that are not overlay= ed by the user-data. >>=20 >> -Michael >>=20 >>> On 1 May 2019, at 15:11, Matthias Fischer = wrote: >>>=20 >>> Hi, >>>=20 >>> Hm. Did I miss something? >>>=20 >>> Testing the Safesearch-Feature gives me: >>>=20 >>> "Hmm. We=E2=80=99re having trouble finding that site. >>>=20 >>> We can=E2=80=99t connect to the server at www.google.de." >>>=20 >>> =3D> I can't connect to ANY of the now "safe searching" search engines. >>>=20 >>> Only https://yandex.ru/ works... >>>=20 >>> Best, >>> Matthias >>>=20 >>> On 30.04.2019 18:16, Michael Tremer wrote: >>>> Signed-off-by: Michael Tremer >>>> --- >>>> src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++= ++++++ >>>> 1 file changed, 215 insertions(+) >>>>=20 >>>> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unb= ound >>>> index fbb096e0d..4ac8331dc 100644 >>>> --- a/src/initscripts/system/unbound >>>> +++ b/src/initscripts/system/unbound >>>> @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL=3D"dnssec-failed.org" >>>>=20 >>>> INSECURE_ZONES=3D >>>> USE_FORWARDERS=3D1 >>>> +ENABLE_SAFE_SEARCH=3Doff >>>>=20 >>>> # Cache any local zones for 60 seconds >>>> LOCAL_TTL=3D60 >>>> @@ -21,6 +22,202 @@ LOCAL_TTL=3D60 >>>> # EDNS buffer size >>>> EDNS_DEFAULT_BUFFER_SIZE=3D4096 >>>>=20 >>>> +GOOGLE_TLDS=3D( >>>> + google.ad >>>> + google.ae >>>> + google.al >>>> + google.am >>>> + google.as >>>> + google.at >>>> + google.az >>>> + google.ba >>>> + google.be >>>> + google.bf >>>> + google.bg >>>> + google.bi >>>> + google.bj >>>> + google.bs >>>> + google.bt >>>> + google.by >>>> + google.ca >>>> + google.cat >>>> + google.cd >>>> + google.cf >>>> + google.cg >>>> + google.ch >>>> + google.ci >>>> + google.cl >>>> + google.cm >>>> + google.cn >>>> + google.co.ao >>>> + google.co.bw >>>> + google.co.ck >>>> + google.co.cr >>>> + google.co.id >>>> + google.co.il >>>> + google.co.in >>>> + google.co.jp >>>> + google.co.ke >>>> + google.co.kr >>>> + google.co.ls >>>> + google.com >>>> + google.co.ma >>>> + google.com.af >>>> + google.com.ag >>>> + google.com.ai >>>> + google.com.ar >>>> + google.com.au >>>> + google.com.bd >>>> + google.com.bh >>>> + google.com.bn >>>> + google.com.bo >>>> + google.com.br >>>> + google.com.bz >>>> + google.com.co >>>> + google.com.cu >>>> + google.com.cy >>>> + google.com.do >>>> + google.com.ec >>>> + google.com.eg >>>> + google.com.et >>>> + google.com.fj >>>> + google.com.gh >>>> + google.com.gi >>>> + google.com.gt >>>> + google.com.hk >>>> + google.com.jm >>>> + google.com.kh >>>> + google.com.kw >>>> + google.com.lb >>>> + google.com.ly >>>> + google.com.mm >>>> + google.com.mt >>>> + google.com.mx >>>> + google.com.my >>>> + google.com.na >>>> + google.com.nf >>>> + google.com.ng >>>> + google.com.ni >>>> + google.com.np >>>> + google.com.om >>>> + google.com.pa >>>> + google.com.pe >>>> + google.com.pg >>>> + google.com.ph >>>> + google.com.pk >>>> + google.com.pr >>>> + google.com.py >>>> + google.com.qa >>>> + google.com.sa >>>> + google.com.sb >>>> + google.com.sg >>>> + google.com.sl >>>> + google.com.sv >>>> + google.com.tj >>>> + google.com.tr >>>> + google.com.tw >>>> + google.com.ua >>>> + google.com.uy >>>> + google.com.vc >>>> + google.com.vn >>>> + google.co.mz >>>> + google.co.nz >>>> + google.co.th >>>> + google.co.tz >>>> + google.co.ug >>>> + google.co.uk >>>> + google.co.uz >>>> + google.co.ve >>>> + google.co.vi >>>> + google.co.za >>>> + google.co.zm >>>> + google.co.zw >>>> + google.cv >>>> + google.cz >>>> + google.de >>>> + google.dj >>>> + google.dk >>>> + google.dm >>>> + google.dz >>>> + google.ee >>>> + google.es >>>> + google.fi >>>> + google.fm >>>> + google.fr >>>> + google.ga >>>> + google.ge >>>> + google.gg >>>> + google.gl >>>> + google.gm >>>> + google.gp >>>> + google.gr >>>> + google.gy >>>> + google.hn >>>> + google.hr >>>> + google.ht >>>> + google.hu >>>> + google.ie >>>> + google.im >>>> + google.iq >>>> + google.is >>>> + google.it >>>> + google.je >>>> + google.jo >>>> + google.kg >>>> + google.ki >>>> + google.kz >>>> + google.la >>>> + google.li >>>> + google.lk >>>> + google.lt >>>> + google.lu >>>> + google.lv >>>> + google.md >>>> + google.me >>>> + google.mg >>>> + google.mk >>>> + google.ml >>>> + google.mn >>>> + google.ms >>>> + google.mu >>>> + google.mv >>>> + google.mw >>>> + google.ne >>>> + google.nl >>>> + google.no >>>> + google.nr >>>> + google.nu >>>> + google.pl >>>> + google.pn >>>> + google.ps >>>> + google.pt >>>> + google.ro >>>> + google.rs >>>> + google.ru >>>> + google.rw >>>> + google.sc >>>> + google.se >>>> + google.sh >>>> + google.si >>>> + google.sk >>>> + google.sm >>>> + google.sn >>>> + google.so >>>> + google.sr >>>> + google.st >>>> + google.td >>>> + google.tg >>>> + google.tk >>>> + google.tl >>>> + google.tm >>>> + google.tn >>>> + google.to >>>> + google.tt >>>> + google.vg >>>> + google.vu >>>> + google.ws >>>> +) >>>> + >>>> # Load optional configuration >>>> [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound >>>>=20 >>>> @@ -481,6 +678,21 @@ fix_time_if_dns_fail() { >>>> fi >>>> } >>>>=20 >>>> +# Sets up Safe Search for various search engines >>>> +setup_safe_search() { >>>> + # Nothing to do if safe search is not enabled >>>> + if [ "${ENABLE_SAFE_SEARCH}" !=3D "on" ]; then >>>> + return 0 >>>> + fi >>>> + >>>> + local domain >>>> + >>>> + # Google >>>> + for domain in ${GOOGLE_TLDS[@]}; do >>>> + unbound-control local_data "${domain} CNAME forcesafesearch.google.co= m." >>>> + done >>>> +} >>>> + >>>> case "$1" in >>>> start) >>>> # Print a nicer messagen when unbound is already running >>>> @@ -501,6 +713,9 @@ case "$1" in >>>> # Make own hostname resolveable >>>> own_hostname >>>>=20 >>>> + # Setup Safe Search >>>> + setup_safe_search >>>> + >>>> # Update any known forwarding name servers >>>> update_forwarders >>>>=20 >>>>=20 >>>=20 >>=20 >>=20 >=20 --===============3898746108213220855==--